The world’s most populated country is now regulating data privacy. As of September 2021, China passed two laws that contain data processing requirements for organizations headquartered in and outside its borders: the Data Security Law (DSL) and the Personal Information Protection Law (PIPL). How might these new laws impact your organization? Here’s what you need to know.
Data Security Law (DSL)
The Data Security Law, which became effective this September, broadly applies to data processing activities for personal and non-personal information (both electronic and non-electronic), and addresses inadequacies in the country’s 2016 Cybersecurity Law. According to the legal news site JDSupra, the DSL:
- Mostly focuses on managing data and security pertaining to website and app operators, but more broadly affects all organizations that process data that might impact “national security, public interest, or lawful consumer rights.” However, what constitutes “public interest” is not clear, and could be broadly interpreted in legal situations. The law also regulates the whole process of accessing, exporting, and utilizing data to guarantee all activities are properly monitored.
- Applies to activities outside of China, meaning foreign organizations must uphold it.
- Requires the Chinese government to “establish a data classification system that dictates which data is of the utmost importance and requires heavier scrutiny,” such as information that affects “national security or key public interests.”
- Requires data processors to establish a security policy and system for risk monitoring. Processors that deal with “higher levels of protection” will be subject to “regular reporting requirements,” whereas all others are “only required to report security breaches.” Further, the law endorses the Cybersecurity Law’s safety review requirement when exporting integral information such as data “pertinent to national security.”
- Includes more severe penalties with fines up to $310,000 USD for data breaches, and as much as nearly $1.6 million USD for breaches that impact national interests. Organizations that don’t comply may be suspended or closed.
Personal Information Protection Law
Similar to the European Union’s General Data Protection Regulation (GDPR), China’s PIPL, which came into full force in November 2021, hands more rights to Chinese consumers to obtain, correct, and delete their personal data. It also has the ability to impact foreign organizations that deal with Chinese data. Many of these organizations will need to change their data collection and privacy policies to become compliant with the rules or potentially face hefty fines. According to JDSurpa, main features of the PIPL include:
- Data processors must notify consumers about their rights, such as the right to know why their data is being collected and the right to change or delete their data. Processors must get consent from consumers before collecting their data. Private data should only be “minimally processed” for legitimate purposes, and “retention should be controlled” so private data is not being stored on servers “with no purpose.”
- Data controllers must appoint “a personal information protection officer” who will perform regular impact assessments to guarantee data is properly handled. Any “presumption of fault” will fall on the data processor.
- Data transfers between China and other countries come with restrictions, such as “a security review mandate” or a “standard data transfer agreement.”
- Organizations that break the law can be fined as much as five percent of their annual turnover or $7.7 million USD, depending on which amount is higher.
As data privacy laws continue to pop up across the world, organizations will need to quickly adopt or potentially face penalties. By ensuring you are already compliant with these rules, your organization will stay one step ahead.
Data Privacy Engineering
In addition to protecting your own network, your organization needs to ensure that the products and systems it develops take data privacy into account. This means limiting the data they collect, determining how your organization retains and uses that data, and ensuring you are applying all relevant regulations— which can all help build consumer trust.
IEEE has partnered with the International Association of Privacy Professionals (IAPP) to provide the IEEE | IAPP Data Privacy Engineering Collection to organizations. This unique training is designed to further educate your technical professionals tasked with developing products so they understand, maintain, and protect data privacy throughout the R&D process. The program provides access to tools that allow your technical workforce to implement policies and processes for designing products that take ethical personal data use into consideration right from the start.
Learners will understand how to:
- recognize the benefits and challenges of emerging technologies and how to use them while respecting customer privacy
- establish organizational privacy practices for data security and control
- learn practical knowledge and insights to address corporate privacy challenges
- leverage the knowledge gained to develop products that take data privacy into account
EPIQ. (1 December). What U.S. Companies Should Expect from China’s New Data Privacy Laws. JDSURPA.